FREE ESSAY ON AUDIT RISK MODEL

AUDIT RISK MODEL

1999 Semester II
AFM 312
Auditing
Assignment 1
Audit Risk Model
Posting Date: 6 September, 1999
Table of Contents
A) DEFINITION OF RISKS 1
INHERENT RISK 1
CONTROL RISK 1
AUDIT RISK 1
DETECTION RISK 1
B) ARMIDALE PTY LTD - YEAR 1 3
INHERENT & CONTROL RISK LEVELS 3
DETECTION RISK & EVIDENCE ACCUMULATION 3
C) ARMIDALE PTY LTD - YEAR 3 4
SETTING AUDIT RISK HIGH 4
WHAT IS A 'LOW' LEVEL OF IR & CR 4
D) THE AUDIT RISK MODEL IN PRACTICE 5
A) Definition of Risks
Inherent Risk
This is defined in AUS 402 as 'the susceptibility of an account balance ... to
misstatement that could be material ... assuming there were no related internal controls'
(AUS 402.09).
Estimating the inherent risk (IR) for each account balance or class of transactions
requires the auditor to take into account such factors as the level of complexity
involved in determining the 'correct' balance of an account, the complexity of
transactions involving the particular account(s) and the 'portability' of the assets
involved.
The estimation of IR is done as though no internal controls exist - it looks only at the
nature of the account being evaluated.
Control Risk
AUS 402 defines this as 'the risk that misstatements that could occur in an account
balance ... that could be material ... will not be prevented or detected on a timely
basis by the internal control structure' (AUS 402.06). 
The evaluation of the level of control risk (CR) requires the auditor to have a thorough
understanding of the internal control structure that is in place, and practiced (not
necessarily the same thing) within the organisation to be studied. Elements such as the
segregation of duties, the existence of 'management overrides', and the level of
formalised policies and procedures in use are among the factors to be considered.
Audit Risk
Defined in AUS 402 as 'the risk that the auditor gives an inappropriate audit opinion
when the financial report is materially misstated.' (AUS 402.03)
The level that is set as the acceptable audit risk (AR) reflects the degree of certainty
that the auditor and audit subject wish to achieve. An audit opinion can never be a
guarantee (AR = 0), even if every transaction during the year was tested, due, at least
in part, to the interpretive nature of many of the accounting decisions involved.
Detection Risk
The final part of the risk model outlined in AUS 402 is defined as 'the risk that an
auditor's substantive procedures will not detect a misstatement...' (AUS 402.07)
This risk relates to the volume, effectiveness and sufficiency of the audit testing and
investigation undertaken.
Both IR and CR are related to the probability that a particular balance will contain an
error, either accidental or fraudulent, while detection risk (DR) is the probability that
the auditor will not detect the error (Graham, 1985, p.15).
The audit risk model is 'a joint probability statement of independent events' (Wade,
1996) which attempts to combine these probabilities and give an overall 'chance' of a
misstatement existing (IR * CR) and remaining undetected (* DR) - leading to the auditor
giving an inappropriate audit opinion (AR).
B) Armidale Pty Ltd - Year 1
Inherent & Control Risk Levels
In the first year of an engagement the auditor will have gained only a limited knowledge
of the client and their practices.
Faced with a poor internal control structure the auditor may question the level of
management experience and knowledge, which AUS 402.14(b) suggests may be an indicator of
high inherent risk. This, combined with the newness of the engagement, would be
sufficient cause to set IR at a high level at the financial report level, and for most,
if not all, of the assertions below that.
AUS 402.32 & AUS 402.34 mandate the setting of control risk to high 'unless the auditor
is able to identify internal controls ... likely to prevent or detect and correct a
material misstatement' (AUS 402.32(a)). Given the conclusion of the auditor that such a
control structure does not exist within Armidale Pty Ltd they would have no option but to
set CR as high - which is a logical choice given our previous definition of CR.
Detection Risk & Evidence Accumulation
Assuming that the auditor wishes to achieve a low level of Audit Risk, especially given
the newness of the engagement and the lack of an effective control structure we can, by
restating the audit risk model as DR = AR / (IR x CR) determine what the level of
detection risk must be set at to achieve the desired level of AR.
If, for example, an AR of 5% is desired with both IR & CR set to 100% the DR comes out to
be:
DR = .05 / ( 1 x 1)
DR = .05 (5%)
This means that the auditor can only accept a 5% probability that their substantive
procedures fail to detect any material misstatements. Achieving this level of assurance
will require the gathering of a large amount of evidence - large samples will need to be
carefully tested and examined across most assertions.
As the accumulation of evidence is, due to the time and resources required, one of the
more expensive components of an audit the cost of running an audit with high CR & IR
ratings will be greater than 'normal'. The auditor must balance the costs and fees of
this initial audit against the long term relationship with this new client - as well as
their local competitors.
C) Armidale Pty Ltd - Year 3
Setting Audit Risk High
With more knowledge and exposure to the client and their environment the auditor could
choose to set the audit risk to a higher level when, for example, there are few external
users of the financial statements (AFM312, 1999). 
It can also be set higher when control risk is low due to the presence of a strong
internal control structure and inherent risk is also assessed as low. IR can be set lower
based on the auditors judgement on such factors as the stability of the company and the
environment it operates in, the level of management expertise, and the complexity and
nature of transactions and accounts involved. 
What is a 'low' level of IR & CR
Issuing an inappropriate audit opinion can be expensive for an auditor, especially in our
increasingly litigious society and with courts having a fairly wide definition of an
auditor's duty of care.
No system of internal controls can guarantee 100% detection of material misstatement -
mistakes, whether accidental or fraudulent, will occur and some will escape detection,
again either by deception or an oversight. Adopting a minimum level of CR of around 30%
allows for this - in effect the auditor says that they believe the internal controls are
sufficient to ensure that a minimum of 70% of misstatements will be detected and/or
corrected. 
Inherent risk is, by definition, evaluated as though no internal control system is in
place. While it can be set lower as suggested in the previous section, the relationship
between DR, AR, CR & IR as expressed in the model means that setting it to a lower value
increases the allowable detection risk to achieve a desired level of audit risk. 
For a 5% AR with CR set to 30% and IR to 80% we get a DR value of:
DR = 0.05 / (0.3 * 0.8)
DR = 0.21 
If we lower IR to 30% DR becomes 0.56 - our substantive procedures now need to be less
than 50% effective at detecting misstatements because we 'trust' the client and their
systems. Increasing the allowable level of DR could, for example, lead to a less thorough
audit process on 'old & trusted' clients.
D) The Audit Risk Model in Practice
Is the audit risk model as outlined in AUS 402 a useful tool for helping to plan audit
evidence requirements in practice?
Much of the documentation and discussion relating to the assessment of the various risk
elements involved in the model addresses the issue at the individual account balance or
transaction class level. An area of concern (AFM312, 1999; Lea et al, 1992; Wade, 1996)
is the link between these many individual assessments and an 'overall' risk rating at the
financial statement level. 
As the model uses various independent probabilities it is not possible to simply 'sum
together' the assessment for individual areas. There have been suggestions of
methodologies for providing overall aggregation of assertion level risk assessments (Lea
et al, 1992) however these have not been included in any of the current Auditing
standards. 
This 'linkage' problem limits the value of the model to an auditor as the amount of work
required to derive all of the estimates that AUS 402 suggests could be viewed as
excessive and requiring substantial amounts of duplication of effort. This limitation
appears to have led to the model being largely ignored, or at least circumvented.
Studies such as those by Mock and Wright (1999) have investigated the effect of different
levels of assessed risk on the design of actual audit programs. These studies have found
that, in the majority of cases, auditors utilise a 'standard' set of substantive
procedures for all engagements, regardless of variations in risk factors. Others such as
Fitzsimons (1992) and Jacoby (1995) found that both inherent and control risk are,
particularly for small to medium sized businesses, consistently set to 100%, even with
continuing engagements - reinforcing the use of a 'standard' test plan.
Reliance on standard plans may give the auditor a sense of security, whether justified or
not, as they have built a level of confidence in the results and can easily compare this
year to last year. Performing less substantive testing than 'normal' may open the auditor
to claims of negligence if a material misstatement escapes detection and a user of the
audited statements suffers damage as a result. The studies assert that the auditor
therefore tends to be conservative and maintain a heavy reliance on substantive testing.
If both IR & CR are automatically set at 100% for all clients, and the auditor relies on
achieving a 5% overall AR, detection risk must, according to the model, also be set to
5%. Detection risk is made up of two components, sampling risk, and non-sampling risk.
Sampling risk arises from the selection of samples within an overall population of
transactions and accounts. If the samples selected do not accurately reflect the
population the testing may not capture a misstatement. Sampling risk can be countered by
increasing the proportion of the overall population being tested. Accumulation of
evidence, testing the sample, is one of the high cost areas of an audit and decreasing
the sampling risk can, therefore, be a high cost exercise (Arens et al, 1987).
Non-sampling risk derives from the selection and application of the actual audit
procedures to the selected samples. Inappropriate or ineffective procedures may return
misleading information and lead to incorrect evaluation of results.
The audit risk model assumes that non-sampling risk is negligible and that detection risk
is largely controllable through sample size manipulation. While it is contended by, for
example, Gul et al (1995) that 'this risk can be reduced to a low level through effective
training, planning and supervision' the use of 'standard' test plans for all clients
could lead to 'blind rote' application of procedures without any real understanding of
the purpose or relevance of a particular test.
In these conditions a series of small non-sampling errors could rapidly accumulate and
reduce the value of the substantive testing. Where only a small allowance for error
exists, due to the reluctance of the auditor to place more emphasis on the internal
control systems, the desired level of AR could become unachievable.
The audit risk model outlined in AUS 402 as well as many of the overseas auditing
standards would seem to be useful for planning the level of testing required for specific
accounts or account classes. This is particularly so where the auditor believes internal
control systems are in place and effective (low CR) and where the inherent risk is also
medium to low.
It appears, however, that, for many reasons, the auditing fraternity has not rushed to
utilise the model in developing audit plans - preferring to rely on standard series of
tests - although Mock & Wright (1999) did identify some movement towards increasing use
of the model for planning purposes.