The Audit Risk Model (#299)
/In this podcast episode, we discuss how the audit risk model works. Key points are noted below.
The Nature of Audit Risk
Audit risk is the risk that an auditor expresses an incorrect opinion on financial statements that are materially misstated. Since auditors can get sued for this – and will lose the court case and have to pay up – they need a tool for reducing the risk.
They could reduce audit risk by brute force, which means examining every single one of the client’s transactions. But that would be incredibly expensive. So instead, they have the audit risk model. This model calculates the total amount of risk associated with an audit by breaking it down into three pieces. There’s control risk, which is the risk that material misstatements wouldn’t be detected or prevented by a client’s control systems. This is a big one, since auditors can rely on a good control system and cut way back on their audit procedures. But if the control system stinks, then the auditors need to compensate for it with more procedures.
And then there’s inherent risk, which is the risk that a client’s financial statements are susceptible to material misstatements in the absence of internal controls. This can be a problem in a complex business, and especially ones where there’s a lot of judgment involved in making decisions, because an inexperienced person is more likely to make a mistake. There’s also more inherent risk when a business deals with a lot of non-routine transactions, where there aren’t any procedures for them. Same problem – an inexperienced person could screw them up. In short, a business with inherent risk is just structured so that stuff can go wrong.
And finally, there’s detection risk. This is the risk that the audit procedures to be used aren’t capable of detecting a material misstatement. The auditor can control detection risk by adding on more procedures – or at least, relevant procedures. This one is the main variable. The auditor can dial up the procedures when the other two risks are looking bad, or dial down the procedures when the other risk levels look fairly low.
So – the audit risk model states that you multiply the assessed percentage of control risk by the assessed percentage of the inherent risk, and by the assessed percentage of detection risk, and that gives you the percentage audit risk.
In other words, if any of these subsidiary-level risks are on the high side, and especially if several of them are, then the auditor will be looking at a seriously high risk of expressing an incorrect audit opinion. Which can be career-ending. And drain their bank account if there’s a lawsuit.
Problems with the Audit Risk Model
The model seems simple enough, but there’s one basic problem with. How do you come up with those percentages? Who’s to say that control risk should be assessed at ten percent? Or twenty? Or thirty? Defining these risks is subjective, so it would be really hard to defend any specific number. It would be foolish to set inherent risk at, say, fourteen percent – how would you justify it?
And for that matter, since every input to the equation is subjective, how can anyone realistically expect to multiply them together and get a meaningful result? Essentially, we’re trying to apply mathematical concepts to opinions.
A Simplified Approach
And that’s why auditors prefer to assign either a high, medium, or low rating to each one of those risks. It’s sort of like a traffic light. Green is a low risk rating, red is bad, and amber is somewhere in between. When everything is green, the auditor is happy because the audit risk is green, too. When everything is red, it’s time for the auditor to walk away from the audit, because there’re no way to develop a cost-effective audit opinion.
So how do auditors come up with these high, medium, or low assessments? It’s still a judgment call. Inherent risk is red when the environment is complex and there aren’t a lot of procedures. In the reverse situation, it’s green. When the auditor does a preliminary test of controls and all the controls are working as planned, then it gets a green score. When the result is more like a war zone, it gets a red score. Those are the easy ones. The auditor needs to decide under what circumstances a medium rating will be handed out. There isn’t any clear guidance on this – it’s still a judgment call.
So, what about practically all of the audits, where the score is not all red or all green? As a general rule, if control risk and inherent risk are both high and detection risk is medium, then the auditor will not accept the engagement, because the cost of all the audit procedures needed will be too high. If the detection risk drops to green, then it’ll probably be cost-effective for the auditor to proceed, but she needs to watch the outcome of the audit procedures, to see if anything squirrely pops up – and there’s a good chance that it will.
On the other hand, if any combination of two risks are considered low, then the audit can proceed. That’s nice. The trouble is, that if you calculate the number of variations of three audit risks and three risk rankings, you have 27 possible combinations of outcomes, and in about half of them, it’s not clear if the auditor should walk away or take the engagement.
So, as you might expect, this is a fraught area for auditors. All the way through an audit, they’re constantly re-evaluating the audit risk, and altering their audit procedures to deal with what they find.
It might seem that this episode was entirely for the benefit of new auditors. Not entirely. Look at this from the perspective of the client. If you present the auditor with a crappy control system or an inherently complex operating environment, the only way the auditor is going to be able to provide a clean audit opinion is by piling on the audit procedures – which can get pretty expensive.
So, it makes sense to keep working on your control systems during the off season when the auditors aren’t around, to make them as robust as you can. And try to persuade management to streamline the business a bit, install more procedures, and pay for more employee training, so that the inherent risk goes down, too.
When you do that, the auditors have less heartburn and more importantly, they’ll have less work to do, so their audit fee will be less.